Bug#1093238: bookworm-pu: package 389-ds-base/2.3.1+dfsg1-1+deb12u1
Hi Andrej, hi Tomo,
On Sun, Jan 19, 2025 at 01:25:02PM +0100, Andrej Shadura wrote:
> Hello,
>
> On Sat, 18 Jan 2025, at 18:13, Salvatore Bonaccorso wrote:
> >> The following were cherry-picks with no other changes from the
> >> upstream’s Git repostitory, branch 2.4.6:
> >>
> >> - Security fix for CVE-2024-3657
> >> - Security fix for CVE-2024-5953
> >> - Security fix for CVE-2024-8445
> >> - Security fix for CVE-2024-2199
>
> > I have a question on the followup for CVE-2024-2199, CVE-2024-8445
> > exists because of an incomplete fix for CVE-2024-2199. What is the
> > orgin of the applied patch for CVE-2024-8445?
>
> > It has, AFAICS as well not yet as well addressed in unstable? Is the
> > applied fix validated from upstream?
>
> This fix comes from the upstream repo, branch 1.4.3: https://github.com/389ds/389-ds-base/commit/1d3fddaac33
>
> I’m not sure why it’s not on other branches, and the bug’s description is (intentionally?) very vague about *which* versions are affected.
Thanks for the reference to the commit!
What I have found so far is that the incomplete fix *might* only
affect the 1.4.3.40 and 1.4.4.20 releasses for the included
CVE-2024-2199 but it is claimed that versions >= 2.0 which contain the
CVE-2024-2199 fix are not affected by the incomplete fix.
Now I guess the next steps are to reach out to upstream to understand
it more, secondly understand if the applied commit still for bookworm
is just a "noop" or in worst case can have negative conseuqences?
Timo, any insights? (sorry I'm not to knowledged on 389-ds-base
myself).
Regards,
Salvatore
Reply to: